I am reading this explanation of zkSnark written by Maksym Petkus - http://www.petkus.info/papers/WhyAndHowZkSnarkWorks.pdf
Here the Prover knows a polynomial of degree 3, 2 of the solutions of the polynomial are 3 & 4. He has to prove to the verifier he knows such a polynomial without revealing to the verifier the 3rd solution.
This is the polynomial they use as an example - $P(x) = x^3 - 7x^2 + 12x$
This can be factored as $x(x-3)(x-4)$, so the 3rd solution is $x = 0$
$T(x) = (x-3)(x-4)$
$H(x) = x$ (only prover knows this)
$P(x) = H(x) . T(x)$
$E(c) = g^c \pmod p$.
In short, this is the protocol used
Verifier chooses a random $s$, calculates $E(s^0), E(s^1), E(s^2), E(s^3)$
Sends these 4 values to prover without revealing s.
Prover calculates $E(p(s))$ using different $E(s^n)$s. He also calculates $E(H(s))$ similarly without knowing $s$. He hands both to verifier
Verifier calculates $T(s)$ & then raises $E(H(s))^ {T(s)}$. If $E(P(s))$ sent by prover matches with $E(H(s))^ {T(s)}$, then the protocol verifies successfully.
I understood the protocol in general. There are issues with it which they address later, but one issue which comes to my mind (which they don't address) is the following.
If prover doesn't know the actual polynomial (i.e. $x^3 - 7x^2 + 12x$), but just picks some random 3rd solution - i.e. $x = 2$ & he goes ahead with the above protocol steps as described, it will still verify with the verifier.
In which case, I am unable to figure out what exactly is the protocol trying to achieve?
